Microsoft Issues Critical Patch for ASP.NET Core Privilege Escalation Flaw
AI-generated from multiple sources. Verify before acting on this reporting.
Microsoft released an out-of-band security update Tuesday to address a critical vulnerability in its ASP.NET Core framework that could allow unauthenticated attackers to gain SYSTEM-level privileges on affected servers.
The software giant issued the patch on April 22, 2026, following the discovery of a flaw in the ASP.NET Core Data Protection cryptographic APIs. The vulnerability, classified as critical, enables remote code execution without requiring user credentials. Security researchers warned that successful exploitation could allow attackers to escalate privileges to the highest level on compromised systems, potentially granting full control over enterprise networks.
The update targets the ASP.NET Core Data Protection APIs, which are widely used in enterprise applications to encrypt and decrypt sensitive data. The flaw stems from improper handling of cryptographic operations, allowing malicious actors to bypass security controls. Microsoft stated that the vulnerability is being actively exploited in the wild, prompting the immediate release of the patch outside its regular monthly update cycle.
System administrators are urged to apply the update immediately. The patch is available through Windows Update and Microsoft's official download centers. Organizations running ASP.NET Core applications on Windows Server, Azure, or other cloud environments are advised to prioritize remediation. Microsoft has not disclosed the full technical details of the exploit to prevent further abuse, but confirmed that the fix addresses the root cause of the privilege escalation.
The vulnerability affects multiple versions of ASP.NET Core, including those deployed in production environments across financial, healthcare, and government sectors. No specific organizations have been confirmed as victims, though security firms have detected scanning activity targeting unpatched systems. The out-of-band nature of the release underscores the urgency of the threat.
Microsoft's security team is working with industry partners to monitor for additional exploitation attempts. The company has not specified whether the vulnerability was discovered by internal researchers or external security firms. Questions remain about the scope of the attack and whether any data breaches have already occurred as a result of the flaw.
The patch is expected to be included in the next cumulative update for Windows Server and related products. Microsoft has advised customers to review their security configurations and ensure that all systems are running the latest versions of ASP.NET Core. The company will continue to monitor the situation and provide updates as more information becomes available.